Google is promoting a new standard for online privacy called Federated Learning of Cohorts (FLoC). While most everyone outside of the online advertising industry favors getting rid of third-party cookies, most everyone outside of Google is also opposed to FLoC.
In this report, we’ll examine how FLoC works and why so many people and organizations are opposed to Google’s new approach to tracking.
Let’s start at the root of the problem: third-party cookies.
Third-party cookies and why they need to go away
First off, what the heck is a third-party cookie? A third-party cookie is deployed by a website other than the one you are visiting. For example, imagine that you are browsing on somewebsite.com. If some other website (let’s call it sneakyadvertiser.com) were to place a cookie on your browser while you were on somewebsite.com, the sneakyadvertiser cookie would be a third-party cookie.
Why would sneakyadvertiser place a “third-party cookie” on your browser when you are visiting some other site? Because these cookies can be used to track your browsing habits as you surf the web. Sneakyadvertiser will know which websites you visit and will use all the information they have about you to display ads targeted directly at you.
There has always been strong opposition to the use of these privacy-invading third-party cookies, and finally there is action. Many web browsers simply block third-party cookies, including Firefox, which has been doing so since 2019. But Google’s Chrome browser did not block these cookies.
And that makes sense.
Google makes most of its money from internet advertising. Simply blocking third-party cookies like other browsers do could deeply hurt Google’s advertising revenues. But now that they have FLoC, they are ready to move against those nasty third-party cookies.
What is FLoC?
FLoC stands for Federated Learning of Cohorts and it is a method to categorize people into groups for targeted advertising purposes. To better understand FLoC, it helps to see how it works.
How does FLoC work?
For simplicity, we will refer to Google Chrome in this explanation since right now Chrome is the only browser that supports FLoC.
FLoC works by analyzing Chrome’s browsing history. It performs this analysis locally on your device using an algorithm called SimHash. SimHash is a technique for quickly estimating how similar two sets are. In the case of FLoC, SimHash will calculate how similar your browsing history is to others. The result of this calculation will let Chrome assign you to a cohort (group) of people with similar browsing histories.
This looks great so far. FLoC keeps your browsing history on your device and out of the hands of the companies that use third-party cookies. Those companies previously accumulated huge amounts of data that they could associate with individual users. How long they maintained that data, and how (in)secure it was we could never be sure.
Google says that cohorts will be analyzed to ensure that they don’t contain too much “highly sensitive content.” Specifically:
Before a cohort becomes eligible, Chrome analyzes it to see if the cohort is visiting pages with sensitive topics, such as medical websites or websites with political or religious content, at a high rate. If so, Chrome ensures that the cohort isn’t used, without learning which sensitive topics users were interested in.
Google has claimed that this approach should give advertisers around 95% of the results they achieve with third-party cookies, while still protecting the privacy of individual Chrome users. The company argues that simply blocking third-party cookies like other web browsers do will cause advertisers to use even more intrusive methods to target their ads. Google (which makes most of its money from ads) has a conflict of interest here, but the point is valid nonetheless.
FLoC can be seen as an attempt to keep all parties happy while still boosting the privacy of users.
Note: FLoC is just one method in the Privacy Sandbox, a 2019 Google pro-privacy initiative. The company is working on several other methods to improve Chrome privacy, which will be introduced over time.
Why others dislike FLoC
FLoC sounds good. It eliminates third-party cookies and protects user privacy while still allowing advertisers to make the money that keeps much of the internet humming. So why is there so much opposition to Google’s Federated Learning of Cohorts?
People see a number of potential problems with FLoC:
- It could make browser fingerprinting easier. Fingerprinting gathers many types of information from your web browser that collectively can be used to create a unique, stable identifier for your particular browser. FLoC will group you into cohorts of perhaps a few thousand people. Someone wanting to track you can then use browser fingerprinting to distinguish your browser from among the few thousand in your cohort, instead of the hundreds of millions of browsers active across the entire internet.
- FLoC can be a new source of data for anyone who already knows who you are. FLoC cohorts are sources of information about your online behavior and interests. For cohorts to be of useful to advertisers, there will have to be some way to gain useful information from a cohort ID. Because your FLoC cohort ID is available to any website you visit, it will be available to websites that know who you are (sites yo log into for example), but had not known anything about your behavior outside of their site.
- If it is hard to extract useful information from cohort IDs, large entities with the resources to extract that information will have a new advantage over smaller advertisers. And with cohorts being recalculated weekly, smaller competitors will be at a perpetual disadvantage.
- Any technology that makes it possible to target specific types of users also makes it possible to discriminate against specific types of users. There is an argument to be made for the old style contextual advertising: if you go to a fishing website, you get ads for fishing “stuff,” not ads based on information that some third-party tracking cookie or FLoC algorithm gathered about you.
Here are some quick questions and answers around FLoC and privacy.
Who else supports FLoC?
Aside from Google itself, we haven’t been able to find anyone among web browser companies or advertising companies that support FLoC. In fact, there is strong opposition to FLoC from the industry as well as privacy organizations such as the Electronic Frontier Foundation (EFF).
What is the Privacy Sandbox?
The Privacy Sandbox is Google’s plan to bring user data into the web browser and protect users from the cross-site tracking that advertisers currently use to profile users for targeted advertising. FLoC is just one element of the sandbox.
What is an Origin trial?
According to Google, origin trials, “allow developers to try out new features and give feedback on usability, practicality, and effectiveness to the web standards community.”
In an origin trial, developers can begin testing the feature without asking browser users to enable flags in Chrome. In other words, your copy of Chrome could be participating in this trial without your knowing it.
The odds of your browser being included in the current FLoC trials is small, but not zero. You can check to see if it is included at the EFF’s Am I FLoCed? page.
Do people want targeted ads?
The advertising industry claims that users are happy to receive targeted ads while browsing websites. But according to a survey commissioned by Global Witness and conducted by YouGov:
- 26% of respondents do not want their personal data used to target them with political ads.
- An additional 57% if respondents do not want their personal data used to target them with any ads.
As we can see from the data, most respondents dislike targeted ads in at least some circumstances. For this particular survey, the respondents were in Germany or France. Perhaps the appeal of targeted ads is less than the ad industry would like us to believe.
More recently, Ars Technica reported that analytics show that “96% of US users opt out of app tracking in iOS 14.5.” iOS 14.5 enforces a policy named App Tracking Transparency. The policy requires apps to request user permission if they want to use tracking techniques to follow users as they move around the web. Analysis of the data showed that only 4% of US users agreed to allow apps to track them.
What was that you said about users liking targeted ads?
We can’t read minds. That means we can’t tell you what the folks at Google were thinking when they created FLoC. The one thing we can say with certainty is that there appears to be little or no public support for FLoC outside of Google. But given Google Chrome’s dominant position in the browser market, it isn’t clear that the opinions of anyone outside Google will matter in the long run.
We’ll be watching the FLoC saga carefully, and will keep you informed when/if anything important happens.